Smartphone User Data Could Be at Risk Due to Russian Software: Report

Smartphone User Data Could Be at Risk Due to Russian Software: Report
Smartphone User Data Could Be at Risk Due to Russian Software: Report
  • Yandex uses software that lets developers create apps for devices which run on Apple and Google systems.
  • That software collects user data sent to servers in Russia, which experts say could be used to track people.
  • Yandex has faced scrutiny amid allegations of censorship following Russia’s invasion of Ukraine.

Smartphone users could be at risk of being tracked by Russian authorities due to app software created by the country’s largest internet firm, the Financial Times reported on Tuesday. 

Yandex’s software development kit, or SDK, called “AppMetrica” lets developers create apps for devices running on Apple’s iOS and Google’s Android’s systems, the outlet reported. 

AppMetrica collects user data that is sent to servers in Finland and Russia, the latter of which, experts told the FT, could potentially be accessed by the Kremlin to track individuals. The paper reported that games, VPNs and messaging applications are among the apps that have AppMetrica installed.

Yandex, sometimes referred to as Russia’s version of Google, has come under close scrutiny following Moscow’s invasion of Ukraine. The internet giant has been accused of censoring news from Ukraine, and the company’s former head of news has urged his ex-colleagues to quit over the firm’s role in potentially aiding censorship. Western sanctions levied against Russia have triggered the resignation of several of its board members. 

“The AppMetrica SDK claims to provide appropriate services, all while phoning home to Moscow with deeply invasive metadata details that can be used to track people across websites and apps,” Zach Edwards, the researcher who made the discovery, told the FT. 

He told the outlet that the use of apps with AppMetrica installed by individuals with “high profile jobs” could leave them vulnerable to “dangerous” attacks or other forms of surveillance.

Yandex told the newspaper that its software does collect “device, network and IP address” data, but that it has a strict process when dealing with government requests.

In a statement sent to Insider, the company said: “Data received by AppMetrica from app developers is stored in a distributed storage platform both in Finland and in Russia, as stated in our Privacy Policy. The data itself is non-personalized and very limited. Yandex cannot identify users based on the information collected.”

The firm added that “we have never given out any information on users of any apps with AppMetrica installed on them, nor have we ever been asked to.”

“To clarify, we do not collect and hence do not send to Russia any sensitive user data that can identify a person (i.e. names, addresses, phone numbers, payment details, personal ID data or other personal details the user shares with the application),” the statement said, adding that it informs developers of how AppMetrica works, and that they must get consent from users if obliged by local law.

It also explained that its software “operates in the same way as international peers such as Google Firebase, Flurry by Yahoo, Adjust and AppsFlyer.”

Another expert, Cher Scarlett, who formerly worked in global security at Apple, told the FT that if data is collected on Russian servers, local legal regulations could still force Yandex to provide it to authorities there.

US Senate finance committee chair Ron Wyden criticized Google and Apple for not taking action against Yandex’s software, telling the FT: “These apps leech private, sensitive data from apps on your phone, threatening US national security and the privacy of Americans and other individuals around the world.”

“We’re always working to improve privacy and transparency on Google Play, including efforts around SDKs, and are reviewing the allegations in this report,” a Google spokesperson told Insider, referring to the FT’s report. “When we find apps that violate Google Play’s policy, we take appropriate action.”

Apple told the FT that accessing user data would require consent from the user. The company did not immediately respond to Insider’s request for comment.

In recent weeks, some app developers have removed AppMetrica from their apps, the FT reported, such as Gismart, a games-app developer.

“We made a decision to stop using Russian-owned services when the war started,” Gismart’s spokesperson told the FT.

Web browser Opera told the newspaper that it had disabled Yandex’s SDK on February 15 and was preparing for its “full removal.”